Endpoint Protection

Hi All,

As per topic, just curious how effective is SEP with latest definition when installed on below machine condition?

1) Unpatched machine (machine with 0 patch or not patched with worm/virus related update)

2) Open shared machine (what i mean there are more than 1-2 folders shared on the LAN/WAN with full access & permission for everyone)

Also

3) Have you guys seen W32.SillyFDC.BDP moved in network from a PC using logged-on user's Domain credential and trying to infect folder?

How does this worm actually know there's a shared folder exist in his LAN/WAN ?

regards

Unpatched machines are going to be infected. Patching is 70% of your protection. The antivirus only does so much to protect the PC.

Hello,

I agree with the statement above.

Question Arises Why not Install MS Security Patches??

It is worth thinking, "Why would Microsoft take such pain to Release Security Patches?"

NOTE: To Secure the Environment, it is important to Install Microsoft Security Patches and Microsoft Service Packs to make sure you OS is completely secure, patched and without vulerabilities.

1) Symantec Endpoint Protection when installed with Full Features and Latest Definitions is Effective to Block the Threats and Vulerabilities.

2) When there are folders shared, it is important to enable the policy for scan network drives. (NOTE: this would consume resources)

W32.SillyFDC.BDP is a worm that spreads through removable drives and downloads other files onto the compromised computer. 

Check this Write-up: http://www.symantec.com/security_response/writeup.jsp?docid=2011-031106-4835-99&tabid=2

Hope that helps!!

Hi All,

Thanks for the input.

@khaskins82

That rate is quite high, what are top 10-15 Microsoft patches suggested/must install for XP - SP3/Server OS?

So far we know 3 belows are important:

1) KB958644 (Downadup)

2) KB2286198 (.LNK)

3) KB9535966 (DNS)

@Mithun

1) Somehow we did see some Downadup variation bypassed SEP (AV & AS only but with latest def) and managed to be run on system process (hundreds of fake svchost.exe along with scheduled task)

Does this mean after scanning is done we would require reboot to be more effective?

2) 1 issue i see with scanning folder is permission, some folder were customized by customer's user with password.. how would you approach this?

And also we've seen W32.SillyFDC.BDP/SillyFDC.BDP!LNK hitting open shared folder.... 

Any suggestion where i can get more detailed write up for this worm?

I wanted to know how it does know a shared folder exist on local LAN/WAN...

3) Is it possible a host which have been patched with .LNK & Downadup patch and without shared folder being infected by SillyFDC.BDP/BDP!LNK ?

This host has no AV installed though....

Hello,

Question 1

In reference to the W32.Downadup and W32.Downadup.B, I would request you to check these Articles:

Best Practice for Downadup.B and Additional information on the same.

https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/docid/2009033012483648

Today, lot of Threats are created with a Target and Better planned and using the Vulerabilities of the OS and other softwares. 

Often, these are not detected by Virus Definitions and that is where you require features like ProActive Threat Protection and Network Threat Protection.

These Features are recommended to provided you complete Endpoint Protection.

Question 2:

In reference to the W32.SillyFDC.BDP and SillyFDC.BDP!LNK

I would recommend you to follow this Plan of Action:

1) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

2) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

3) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

4) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

For W32.SillyFDC.BDP and SillyFDC.BDP!LNK, here are the Symantec Writeup's:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-031106-4835-99

http://www.symantec.com/security_response/writeup.jsp?docid=2011-053115-1305-99

For Question 3:

"Is it possible a host which have been patched with .LNK & Downadup patch and without shared folder being infected by SillyFDC.BDP/BDP!LNK ?

This host has no AV installed though...."

I believe you have answered you own Question.

Thanks for the info Mithun, i'll take some time going through it.

Bump for question below:

@khaskins82

That rate is quite high, what are top 10-15 Microsoft patches suggested/must install for XP - SP3/Server OS?

So far we know 3 belows are important:

1) KB958644 (Downadup)

2) KB2286198 (.LNK)

3) KB9535966 (DNS)

Ok, it seems my post being moderated.

A new SOPA-like policy?

Bump.

Anyone can suggest recommended patches than below?

@khaskins82

That rate is quite high, what are top 10-15 Microsoft patches suggested/must install for XP - SP3/Server OS?

So far we know 3 belows are important:

1) KB958644 (Downadup)

2) KB2286198 (.LNK)

3) KB9535966 (DNS)

Hello,

To know more on the MS Vunerabilites, check this:

http://us.norton.com/security_response/threatexplorer/vulnerabilities.jsp

NOTE: All the Vulnerabilites are important to be patched.

Hope that helps!!

Hi Mithun,

Thanks for the share.

Any other input from others?

Thanks.